Seasoned professional with 20 years of deep technical experience in architecture, monitoring, incident response, application security, and penetration testing. I have a keen interest in practical applications of large-scale data analysis, automation, and organizational resilience. I also have practical experience developing cooperative intelligence sharing partnerships with both public and private sector entities.

• University of Texas at Austin LBJ School of Public Affairs - Global Policy Studies (2012–2014)
• University of Rochester - Bachelor of Science in Molecular Genetics (1997)

• Process intelligence and research reports on emerging threats and implement detection content across product platforms
• Triage incoming Threat Intelligence reports to ensure quality and accuracy for content team
• Work with Product and Engineering teams to specify new features for product platforms to enhance detection capabilities and ensure operational stability
• Exercise operations processes to deploy new security content to customer and production environments and identify opportunities for automation and stability enhancements
• Implement workflow support and CI/CD pipelines for security content across customer product platforms
• Implement tooling to automate harvesting of exploit samples from public datasets and creation of detection content in the Threat Manager platform
• Instrument and monitor production security content across product suite and customer sensor platforms
• Analyze customer data to identify underperforming content and implement enhancements to increase effectiveness or reduce false positive alerting
• Develop novel analytics to identify threat actor activity and reprocess customer data to expand campaign pursuit

• Developed cloudformation-based infrastructure deployment to migrate content release certification environment for core analytics application from legacy VMWare/datacenter to AWS
• Implemented automated deployment for content analyst infrastructure to AWS with ansible
• Presented "Advanced Snort Authoring and Detection Internals" workshop to Cloud Austin meetup
• Developed antigravity-gun data warehouse tool to facilitate searches through customer data in Redshift/S3 and create analyst-ready output in pcap and other structured formats
• Developed Docker/ECS-based container infrastructure to test proprietary detection content across multiple IDS platforms

• Develop services products for consulting engagements in Critical Infrastructure and Information and Innovation Sectors
• Market service products, track sales, and manage P&L forecasts
• Conduct and present original research in Complex Systems Failures

• Participate in ODNI-sponsored DHS Public-Private Analytic Exchange Program (2017, Community Resilience - FEMA agency champion)

• Engage business units to develop strategic opportunities for improving grid and market systems.
• Senior incident commander for critical incidents. Mentoring resource for other incident handlers.
• Develop security data pipeline to enrich events and create accurate incident alerts with context.
• Prioritize intelligence collection and analysis projects. Develop strategic plans for threats to critical grid and market systems.
• Research and evaluate emerging technologies for application to business and security needs.
• Perform outreach to public and private sector via ISO/RTO council and DHS CISCP. Engage in public speaking to advocate for electricity sector needs and share information and practices

• Automated real-time integration of CMDB, IPAM, access control, and vulnerability data into machine-readable representation of entities, applications, business systems, and infrastructure.
• Automated defensive countermeasures. Used model data to safely deploy automated containment, investigation, and other response actions from monitoring system.
• Implemented TAXII endpoint to ingest STIX and propagate indicators to control surfaces.
• Developed automated security testing harness for Continuous Integration with Bamboo and Nexpose. This produced reproducible audit artifacts and ensured base image builds had been developed with standardized hardening and the latest maintenance updates.
• Automated vulnerability report definition and distribution. New infrastructure or changes in responsibility triggered reconfiguration of management reports.
• Developed Ansible playbook generation tool to create CIS hardening tasks from OVAL XML.
• Implemented ELK stack to monitor SIEM, log collector, and sensor logs. Developed logstash plugins to ingest CMDB and ArcSight model data.
• Implemented Telegraf, InfluxDB, and Grafana for metrics, system telemetry, and time series analytics.
• Developed scenario and training injects for GridEx III. Developed cyber simulator and ChatOps platform for use during exercise play.
• Developed Big Data test bed. Deployed DataStax Enterprise Cassandra, Hortonworks Hadoop, Apache Spark, GraphLab, Neo4j, and JupyterHub environments loaded with data from IT, market, and grid systems. Developed proof-of-concept analyses showcasing each technology platform for evaluation by business and IT owners

• Managed a team of 9 analysts covering monitoring, incident response, compliance, and architecture.
• Managed employee performance and aligned development goals with strategic department objectives.
• Developed and presented project proposals for cyber security capital investments.
• Managed departmental budget, including annual and quarterly forecasting.
• Lead audit response efforts for security control activities in NERC CIP and SAS70 compliance programs.
• Developed working threat model for market and grid operations to guide strategic planning.
• Developed, maintained, and exercised Disaster Recovery and Business Continuity plans.
• Lead participation in public/private partnership projects with DOE and DHS.
• Attained SECRET clearance under DHS Private Sector Clearance Program and attended threat briefings.

• Implemented DOE ESNM/CRISP pilot sensors and participated in program development workshops.
• Developed automated advisory analysis system to triage and dispatch vendor security advisories.
• Represented Cybersecurity Department in GridEx II Exercise Play.
• Represented Electricity Subsector in classified threat workshops for IC at DOE INL.

• Performed security monitoring, incident response, and investigations.
• Infrastructure design and implementation for SIEM, IPS, IDS, Enterprise Forensics, full-content packet capture, web content filtering, and vulnerability management.
• Workflow development for security operations, monitoring, and investigation processes. Developed dashboards, reports, and incident documentation templates. Documented procedures and created reports for compliance controls.
• Content development for automated analysis of security events in SIEM, IDS/IPS, and full-content capture systems.
• Perform forensic analysis of incident artifacts and other digital evidence. Develop incident reports and brief management on findings and recommended response actions

• Deployed 2 major iterations of ArcSight ESM
• Integrated ArcSight ESM with IBM/ISS IPS, Snort NIDS, Tenable Nessus, Windows Events, UNIX/Network/Firewall Syslog, Oracle RDBMS, Microsoft SQL Server and Symantec Antivirus.
• Developed tooling to extract, analyze, and safely detonate malicious JavaScript, VBScript, PHP, and win32 PE binaries.
• Developed full-content packet capture repository to save and index PCAP data across all network perimeters. Integrated PCAP index with investigator toolchain to facilitate context extraction.
• Developed management application for BlueCoat site categorization via local policy database

• Performed security assessments, penetration tests, and risk assessments for clients in the Financial Services, Health Care, Manufacturing, and Public sectors.
• Wrote and presented post-engagement reports to clients and provided guidance for addressing findings in line with business objectives.
• Developed labor models and project materials to support pre-sales and standardize engagement delivery across the security practice.
• Developed application penetration test capabilities and assessment framework for other consultants within the practice.
• Directed team activities for large assessments and security infrastructure implementation projects.

• Was featured in article for InformationWeek

• Administered local IDS, Firewall, and UNIX systems.
• Acted as ZGA divisional representative at Zurich Financial Services Global Information Technology Services activities.
• Performed security assessments across global network infrastructures.
• Lead global security monitoring team (Dublin, Zurich, Schaumberg, New York, Los Angeles) across ZFS divisions.
• Lead the global PKI implementation team
• Lead design and implementation for Security and Network Operations Center for ZGA infrastructure.

• Performed security assessment, penetration test, infrastructure design, and infrastructure implementation projects for clients in Financial Services and Media sectors.
• Served as final internal point of escalation for all technical matters related to security consulting.
• Directed security projects for large engagements.
• Provided staff skills development assistance for other security consultants.
• Built and supported in-house security testing lab.

• Did first shift firewall operations for internal perimeter networks.
• Performed start-of-day and end-of-day procedures to ensure continuity of operations for second and third shifts.
• Did requirements analysis for business requests and implemented subsequent infrastructure changes.
• Performed UNIX system administration tasks to support maintenance activities.
• Participated in Y2K readiness preparations for NYSE security infrastructure.

• Performed security assessments for clients in the Media, Legal, and non-profit sector.
• Designed and implemented CheckPoint and Gauntlet firewalls for VAR customers.
• Designed and implemented Sun Solaris/SPARC systems for VAR customers.
• Supported pre-sales discovery and developed written responses to RFP solicitations.

• ERCOT - Team Player Award (Mar 2016)
• Mercedes AMG Driving Academy - 1st place Team Autocross (Jun 2015)
• ERCOT - Core Value Award for Expertise (Apr 2014)
• ERCOT - Team Player Award (Apr 2014)
• ERCOT - Exceptional Performer Award (Jan 2014)
• ERCOT - Certificate of Recognition: Principal (Dec 2012)
• ERCOT - Team Player Award (Jul 2011)
• Idaho National Laboratory NSTB Advanced SCADA Security Training - Team Captain and Winning Team (Nov 2008)

• Completion of Advanced Training - Mercedes AMG Driving Academy (2015)
• Leadership Skills for Managers Certificate Program - University of Texas at Austin Professional Development Center (2011)
• Advanced SCADA Security - Idaho National Laboratory National SCADA Test Bed (2008)
• Certified SCADA Security Architect - Digital Bond, Inc. (2006)

• SANS - Microsoft Windows Security (SANS-505)
• SANS - Reverse-engineering Malware (SANS-610)
• SANS - PowerShell (SANS-537)
• SANS - Identifying and Removing Malware (SANS-537)
• HP Enterprise - ArcSight ESM 6.5 Security Administrator and Analyst (HPE-00924200)

• Languages (descending by mastery) Ruby, Shell (Bash), Python, R, SQL, PowerShell, XPath/XSLT, JMESPath, Go, C, x86 asm, cBPF asm, eBPF C/asm, Scala, JavaScript, Cypher, SPARQL, VBScript, lua

• Security ArcSight ESM, ArcSight Logger, ArcSight Connectors, ArcSight Management Center, snort IDS (2.9.X), Suricata IDS, Bro IDS, McAfee Network Security Platform, Cisco FirePOWER IPS (SourceFire), RSA Security Analytics (Netwitness), Carbon Black Protection (Bit9 Parity), ForeScout CounterAct, AppLocker, SELinux, auditd

• DF-IR Volatility Framework, plaso, log2timeline, sleuthkit, foremost, Memoryze, EnCase, F-Response, Carbon Black Response, STIX, CybOx, TAXII, OpenIOC, yara, yextend, MISP, Soltra Edge, CRITS, Viper Framework, Unfetter Analytic

• Reverse Engineering Cuckoo Sandbox, McAfee ATD (Advanced Threat Detection), Capstone Engine, Unicorn CPU Emulator, KLEE, ViperMonkey VBA Parser, Kaitai Struct, radare2, CFR Java Decompiler, bytecode-viewer, origami pdf

• Vulnerability Management Rapid7 Nexpose, RedSeal, Tenable SecurityCenter, Tenable Nessus, MetaSploit Pro, Burpsuite Pro, PhishMe, OpenSCAP, SCAP, OVAL, NASL, XCCDF, nmap, OWASP ZAP

• Crypto HashiCorip Vault, Microsoft Certificate Services, cfssl, OpenSSL, PKCS11, TPM, x509, PKI, Kerberos V5 (MIT/heimdal), Amazon KMS

• Config Automation packer, ansible, kickstart, chef, Amazon CloudFormation, AWS::CloudFormation::Init, cloud-init, consul, consul-template, ActiveDirectory Group Policy, cfengine, puppet

• Workflow, Testing JIRA, AWS CodeCommit, AWS CodeBuild, AWS CodePipeline, GitHub Enterprise, HipChat, HuBot, Lita, rundeck, Bitbucket, git, jenkins, TravisCI, Bamboo, selenium, cucumber, rspec, serverspec, brakeman, rubocop, capybara, gauntlt

• Data Repositories MySQL/MariaDB, PostgreSQL, AWS DynamoDB, AWS RedShift, AWS RDS, AWS ElasticSearch, ElasticSearch, InfluxDB, Cassandra, OSISoft PI System, Apache ZooKeeper, Oracle 11-12, MongoDB, CouchDB, HBase, Neo4j, Titan, Apache Jena, ActiveDirectory, OpenLDAP, redis, memcached

• Data Pipeline, Processing logstash, Apache Kafka, Apache Spark, Apache QPID, AWS SQS, AWS Lambda, AWS Kinesis, RabbitMQ, Pentaho Data Integration, avro, parquet, ZeroMQ, Apache Tika

• Monitoring Telegraf, DataDog, Kapacitor, Sensu, Zabbix, Nagios, rsyslog, AWS CloudTrail, AWS CloudWatch Logs, AWS CloudWatch Events, AWS CloudWatch Metrics, CollectD, StatsD, Graphite, jolokia, jmxtrans, syslog-ng, CEF, Splunk, Graylog2, Filebeats, WBEM, WMI, WQL

• Web Apache HTTPD, nginx, varnish cache, squid, haproxy, traefik, mod_security, OWASP CRS3 (ModSecurity Core Rule Set), mod_proxy, mod_rewrite, mod_ssl, F5 LTM, ICAP

• Virtualization Vagrant, Docker, QEMU, KVM, libvirtd, AWS EC2, AWS ECS, AWS AMI creation, OpenStack, Google GCE, VMWare ESX, VMWare Workstation, Virtualbox

• Scheduling, Clustering YARNv2, kubernetes, Apache Mesos, Apache Spark, swarm, keepalived, lvs, sidekiq, celery

• Analysis, Visualization Jupyter, Rstudio, Apache Spark, Tableau, Pig, pandas, shiny, grafana, kibana, d3.js

• Machine Learning scikit-learn, TensorFlow, weka, vowlpal wabbit, MALLET, SparkML (1.2)

• NLP Stanford core-NLP, spaCy, DeepDive, word2vec

• Compliance NERC CIP, SSAE16, NIST SP800-53, NIST CyberSecurity Framework, PCI DSS

• Operating Systems Linux (CentOS, RHEL, Ubuntu, Debian, AMZN1/AMZN2), Windows Server 2008/2012, macOS, OpenBSD, FreeBSD, NetBSD, AIX 6.X/7.X, HP/UX 11.X, Tru64 (DEC UNIX), Solaris 2.4-10, SunOS 4.1

• Network Cisco IOS, Arista EOS, Gigamon, openvswitch (OVS), BPF/eBPF, ISC BIND, ISC DHCPD, ISC KEA, Ubiquiti UniFi, Ubiquiti EdgeOS, collins IPAM/DDI, AWS Route53, AWS VPC, InfoBlox DDI, wireshark, net-snmp, pmacct, softflowd, Guacamole

• Storage AWS EFS, AWS EBS, AWS S3, minio, lvm, multipathd, mdraid, xfs, Samba, nfsd, Ganesha NFS, ceph, OpenStack Swift, Hadoop HDFS